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ABSTRACT : PROBLEM TO BE SOLVED: To provide a ciphering device capable of increasing safety 

while compatibility with DES(data encryption standard) is maintained. ^ 



SOLUTION: This device is provided with two identically structured key schedule parts A, B 
for developing two ciphering keys, which are obtainable by bisecting key information 
consisting of prescribed bit lines, each into an intermediary key for stirring an inputted 
message; with an exclusive OR part 14 for determining an exclusive OR against the two 
intermediary keys outputted from these two key schedule parts A, B; and with a stirring 
part for stirring the inputted message, using one of the intermediary keys if the two keys 
are detected being identical to each other with the exclusive OR turning zero, and using 
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both keys if the two keys compared are detected being unidentical to each other. . CD 
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Abstract — Tb« Mcurity of DES-^ike OTptasyst^ms de* 
pends heavily oc (be strength of the Substltatioo boxes (S- 
boxes) used. The design of new S-bozes b therefore an Impor- 
tant concern In the creation of new and more secure cryptosys- 
tcmi. The fuU set of design criteria for the S-boxes of DES has 
never been released and a eomplete set has yet to be proposed 
in the open literature. This paper hitroduccs a unified S-box 
design framework bated on tnfonnatlon theory and lllustraces 
how It can be used to strengthen and design the S-boxes tised 
in DES-like cryptosystems. 



Introduction 



D£S*Uke ayptogr^hic algorithms arc based on subsdtDdon- 
pcrmutation networks (SP networks). In these cryptosystems en- 
cryption is carried out using alternating layers of substitotions and 
permutaiions as shown in Figure 1. In this class of cryptosys- 
tem the security dq>ends heavily on the properties of the sub- 
stitution (S-boxes) which are used. Since it is very difficult to 
create large 5 -boxes with known properties they are often built 
out of smaller S-boxes as shown in Figure Z Unfortunately this 
construction does not produce the best possible S-boxes and in- 
creases the importance of the p r op er ti es of the smaller S-boxes 
used. It is therefore very iinponant to use S-boxes with the best 
possible properties in the construction of DES-like cryptosysienu. 
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Figure 1 Subsiituiion-Pcrmuuiion Network 
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Figure 2 Useof a set of smaller SubstituiioRS to create a larger one 

In this paper we present a unified S-box design framework 
based on information theoretic concepts and we show that by us- 
ing these criteria we can find S-boxes which can be used to build 
stronger cryptosystems. As an eximple we iUuscraie how strength- 
ened S-boxes can be easily integrated into the DES strucmre. The 
criteria are also tised to explain tome aspects of the construction 
of the DES S-boxes. 

Background 

Cryptographic substitutions, first introduced by Shannon in 
[1], w« further refined and explained in [2)13). It has been shown 
in [4] [5] and more recenUy in [6] that poor S-boxes can lead to 
weak cryptosystems. The S-boxes of DES [7) have been subject 
(o much analysis (sec [8][9](10][U] and others). 

Work on defining desirable properties of S-boxes has been 
presented in I12)(13](14][15)[16](17). More recendy, some prop- 
erties based on information theory were presented by Foni in ( 1 1 1. 
Despite the previous investigations into the desirable properties of 
S-boxes, a comprehensive set of design criteria for S-boxes has 
yet to be presented. 

We will extend the set of desirable properties of S -boxes 
using information theory and use these properties to propose a set 
of design criteria for S-boxes. 

Static and Dynamic Views of an S-box 

S-boxes can be viewed in two ways. The first is ihe suiic 
view of the S-box which describes the S-box when the inputs arc 



not chAnging. The t«cond is the dyntmic view of the S-box which 
describes the S-box when the inpots are changing. 

Much of the previous work on S-boxes has focus ted on 
the suiic propenies of S -boxes. The sutk view of *n S-box, 
with inputs X = (ii,...,r„J and oorputs Y = [yi,...,yn). can be 
envisioned as shown in figure 3. 
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Properties of Ideal S-boxes 
Based on Information Theory 

An ndcaT S-box should behave as randomly as possible; 
however, due lo the detenninisxic naotre of S-boxes. the inpui- 
oatput reladoos art known. TTkc best an Ideal S-box can do then, 
is to behave as randomly as pouiblc when only partial information 
is known about the ix^uo and ooipott. In [11] Foni developed 
two properties of an Ideal mxn fait S-box based on similar ideas. 
Her fint property was thai the oncenainty in the ootpux bits is not 
reduced by the knowledge of any subset of the input bits. The 
second property was that the uncertainty in any unknown output 
bits is not reduced by the knowledge of (he other oatput bits. 

We have defined a set of six properties that an Ideal S-box 
must meet. This set of properties has a broader scope than those 
of Forr£ and any S-box thai meets these properties will also meet 
Font's. The properties are grouped into a set of static propenies 
and a set of dynamic propezties. 



Figure 3 Static View of an mxn S-box 



The importance of certain djnamk properties of an S-tex 
were xntrodaced by Fcutel in [2] and refined in [14]. More le- 
ccnUy Biham and Shamir's work on differential crypianalyxis(6) 
siimulaied us to discover that a broader range of dynamic proper- 
ties of S-boxes are imponam in DES-likc cryptosystcms. When 
considering the dynamic properties of an S-box, it is nsefQl to 
refer to the delu S-box shown in figure 4. 
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Figure 4 Dynamic View of an mxn S-box 



In Figure 4 the v«Jucs of the veciox X = [xi i^] are the 

current inputs to the S-box and can be viewed as the state of the 
delta S-Dox. The Ax; and the Ay. are the changes in the inputs 
and outputs rcspeaiveJy. The current state X is usually unlcnown 
and it is assumed that any relation found between the Ar, and 
the Ay, is over all possible states. 



Static Properties 

The fiiit static property b that partial information about the 
inputs and outputs of an S-box does not reduce the uncertainty 
in an unknown oatput. Note that this is a stronger prtTperty than 
Forrf's because partial knowledge about the output is also given. 
More fonnaliy: 

^iVi l«>i,.".*A,yti yij=: if(y,) 

for all i,Jb./.a,p I 1 < « < «. 1 < * < m - 1, 1 < < 
m,l < a < 1,1 < (/,,.. .,^,p) < a.;^ jk t. 

The second static property is that partial informadwi about 
the inputs and outputs does not reduce the uncertainty in an 
. unlcnown inpuL This property is required because the S-box 
can often be attacked from both the input and output directions. 
Note that this is a stronger property than Font's because partial 
knowledge about the input is also given. More formally: 

^i^i I «j .*>4.y*i..-MirjJ= H{x,) 

for all i',Jb,/,j,p I 1 < I < m,l < k < m - 1.1 < 

Oi ik. p) < 1 < « < n — 1. 1 < < njp ^ I. 

The third static property is thai the uncertain^ in a dau 
value is reduced by the minimum amount possible when it passes 
through an S-box. This means that uncertainty in the ouiput of 
the S-box is as great as the uncertainty in the input of the S-box, 
and if this is not possible, because m > n, that the unccnainty in 
the output is the maximum for the number of output bits. This 
property is desirable so that one cannot guess the ouiput of ihc S- 
box more easily that the inpuL More fomially. let X = [ri, .... Xm]. 
Y «= (yi y„] where m > then : 



_ r H(Xl if H(X) 
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Dynamic Properties 

The dynamic properties <rc sunilsr to the sudc properties ex- 
cept that they deal with the changes to Che inpuu and ootpQU. The 
dynamic properties are defined in the same way as the correspond- 
ing static properties except the inputs and outputs are replaced by 
the changes in the inputs and oatpots. For example the first dy* 
namic property is that partial information tbout the changes in the 
inputs and outputs does oot rednce the uncertainty in changes of 
the unknown ouqjuts is defined formally as: 

/^{Ay,- I Ax, Ai>fc,AiM|...MAyiJ - if(Ay,) 



for ail i,k,l,3,p I 1 < f < n, 1 < < m, 1 < j < 

n*l, 1 < ('i,..m'«.p) <n,lp I. It is assumed that the state of 
the delta S-box is unkiMwn and any piopeiti es hold over all stales. 



Design Criteria 

Using the information theoretic properties of an Ideal S-box 
we define a set of static and dynamic criteria for roxn bit S- 
boxes. The definicioos of the static properties refer to the static 
5-box and are for an mxn bit S-box with inputs X and outputs Y. 
There ire 6 static properties: Ii^ui-Outpnt Independertcc^ Output- 
Input independence, Output-Output Independence, Non-Unearity. 
Information Completeness, and InvenibiUty. The definicioos of 
the dynamic properties refer to the delta S-box with changes to 
the inputs AJf and changes to the ontpno AY. There are 3 dy- 
namic properties : Dynamic Input-Ootpot Independence, Dyiumic 
Outpttt-Itq)ut IndependerKe, and Ootpot-Oucput Independence. In 
addition to the 9 tnftmnation theoretic design criteria which ire 
fundamental to any good S-box. we will discuss three types of 
avalanche criteria which may be necessary depending on how the 
S -boxes wiU be usexl 

The input-cuipm Indeptftdence cnxakiXi of order r is used 
to select S -boxes for which kiMwledge of r input values does not 
reduce the uncertainty in the output values. Formally an S-box 
meets the Input-output Independence criterion of order r. r < m, 

iff: 

Prohivj I a(ii....,OmX«) = Pro6(y>) 

for ail ij,y;,Ui I 1 < J < n.l < < m.(a*,r,-,y>) € 
I}. £ «fc = '''here a* = 1 denotes that is given and 

ak ~0 denotes that is not given. Note that the highest order of 
Input-output Independence that can be met is m-1. To meet Input- 
output Indcpervdence of order m the input-output rdaiion would 
have to be unknown and this is never true. 

The Outptti'inpui !ndep€nd£fice criterion is used lo select S- 
boxes for which knowledge of some of the outputs does not reduce 
the unceruinty in the inputs. This criterion is defined in exactly 
the same way as Input-output Independence except thai the inputs 
and outputs are reversed. 

The Ouipui-ousput !fidcp<ndence criterion is used to select 
S -boxes for which partial information about the outputs bits does 
no( reduce the uncertainty in the unknown output bits. FormaJly 



an S-box meets the Output-output Independence criterion of order 
r. r < n, iff : 

Probiyj I 0iyi,...,4«y«) = Proh(yj) 

for aU yy. o* | 1 < t < n, (a*.y; ) 6 {n. l).oy = 0. = r 

where 1 denotes that is given and a* = 0 denotes ihac 
Xk is not given. It is important lo-nou that this criterion is met 
for all orders of n-l or less, by any invertible S-box because all 
of the 2** possible ou^uts occur with equal probability assuming 
the inputs occur with equal probability. It can also be ihown that 
any mxn bit S-box made up of invertible nxn bit S-boxes metis 
the Output-output IixieperKlence criterion for all orders op to m-1. 

Nan-Uneariiy is a crucial property of an Ideal S-box. It is the 
Non-lir^earity of an S-box that prevents it from being expressed as 
a set of linear equations, which could then be used to break any 
crypiosystem using that S-box. Non-linearity has been proposed 
as a design criterion previously and is defined in [12]. 

Kam and Davida in [13] define Completeness as: for every 
possible input value every oniput bit depends on all input biu and 
noc just a proper subset of the input bits. As noted by Forrd 
in [U] this is a weak conocpL We extend this definition, to 
define Ifrformation CompUten^s, by requiring that each output 
bit depend on all the Information in each input bit as opposed to 
dq>ending on only part of the information in each bit 

The JiwtriibUisy criterion is generally known to be a desir- 
able property of nxn S-boxes. An S-box is invertible iff it is a one 
to one mapping. More formally, an n bit S-box, S. is invertible 
iff. 

5(Xi) =r 5(Xa) iff Xi = Xj 
V{Xi.X5<{0,l)"} 

An Ideal nxn S-box must meet this criterion becau se otherwise 
there are fewer output values than there are input values. If there 
are fewer output values than input vaJues there is less uncertainty 
in the output than in the input, and the third static property of an 
Ideal S-box will noc be meL 

The Dynamic Inpul'Cuipul Independence criterion, of order 
r, is used to select S-boxes for which knowledge of the changes 
in r inputs bits, does not reduce the uncertainty in the changes of 
the ou^uts. Formally, an S-box meets the Dynamic inpui-ouipui 
Independence criterion of order r. r <= m iff: 

Probi^yj I aiAii, ....amAim) = Pro6{ Ay^) 

for all Ax.-.Ay>,a* I 1 < > < n, 1 < i, Jb < 
m,(a*, Ax;. Ayj) € {0,1), £ o* = r where a* = 1 denotes 

kmO 

that Axk is given and a* = 0 denotes that Ax* is not given. Ii 
can be shown that the Strict Avalanche Criterion introduced and 
defined in [14], and all its extensions, are a subset of Dynamic 
Input-output Indepertdence of order m. 

The Dynamic Ouspui-inpm Independence criterion is used 
to select S-boxes for which kiwwledge of some of the output 
changes does not reduce the uncotainty in the input changes. This 
criterion is defined in exactly the same way as Dynamic Input- 
output Independence except that the input changes and ouiput 
changes are reversed. 



193 



BNSOOCID: <XP 280289A_t_> 



Tt^ Dynamic Ouipui-cuipui IfuUpwU^t criterion, of order 
r. ii used to select S-boxes for which the knowledge of r of the 
output changes and a paniailar pattern of input changes, does not 
reduce the unccnainty in the unknown output bits. Formally an 
S-box meeis the Dynamic Chnput^uq;)ut Independence criterion 
of order r, r < n-1, iff; 

Proh{^yj I aiAyi e«Ayn, An Ax^) == 

for all Ai^Ayy.a* 1 1 < ; < n, 1 < ,\ Jb < 

rn.(a*.Ax.-,Av>) € {0,l),a> = 0, a* = r where a, ="l 

denotes that Ax* is given and = o"dcnotes that Ax* is not 
given. 

Many of the previously piDposed design criteria for S-boxes 
art used to ensure thai the ciyptosystem in which they art used 
possesses certain kinds of avilanche. We do not view the prop- 
cnies which these criteria require as fundamental propenies of 
S-boxes, however ihey may be necessary when S-boxes are used 
in certain types of crypiosystems. The avalanche properties can 
be divided into three classes: Probabilistic Avalanche, Directed 
Avalanche, and Minimal Avalanche. ProbabUisiic Avalanche a\- 
tcria require that each ootpst of an S-box change with probabiUty 
1/2 whencvtt the input it changed. The changes in the outputs 
must also be independent. AD S-boxes which meet the dynamic 
informaiion theoretic criteria will posses Probabilistic Avalanche 
and this is regarded as the only type of avalanche which is a fun- 
damental property of a good S-box. Dincud Avalanche criteria 
require that each output of an S-box change with probability 1/2 
whenever certain patterns of change are made in the inpuL Again, 
the changes in die output bits must be independem. Examples 
of Directed Avalanche criteria are the Stria Avalanche Criterion 
(SAC) and afl of its extensions. Minimal Avaianche criteria re- 
quire that a minimum number of output bits changes when certain 
patterns of change are made in the input. The DES design criteria 
that requires that at least two output bits change when one input is 
changed is a good example of a Minimal Avalanche criterion. Nci- 
thcT Minimal nor Directed avalandhe properties are fundamental 
to good S-boxes, however they may be useful whenever smaller 
S-boxes are used to create the larger substitutions required in SP 
network based cryptosystemi. When smaller S-boxes tie used in 
SP network based ciyptosystems. the permutations used ensure 
that the outputs of individual S-boxes are distributed to the inputs 
of disunct S-boxes in the next round. This distribudon has the 
cfTcct of forcing certain panems^ of changes in the input (those 
where 1 or 2 bitt change) to be the most likely to occur in the 
early rounds. Due to this effect U is justified to used Minimal or 
Duccted avtitnche criteria lo ensure thai adequate avalanche will 
occur for those patterns of change. In other cryptosystems where 
all of the patterns of change in the inputs are equally likely it does 
not make sense to require Minimal or Directed Avalanche. 

A more detailed description of the design framework can be 
fourxl in [18. 19, 20] 

Analysis of DES S-boxes 
Using The Design Criteria 

Wc invcsugated both the properties of the DES 6x4 bii S- 



boxes and the DES 4x4 S-boxes. The investigations revealed ihj 
we oookl not find S-boxes wiA jabstantially better informaiio 
theoretic properti« than the S-boxes of DES and which also met 
the acknowledged DES derign oritena. This indicaia that ih 
S-boxct of DES may be tome of the best possible based o 
a combination of our information theoretic properties and ih 
•dmowledgcd DES design criteria. It is important to note tht 
there were many S-boxes found which met the acknowledged DE; 
design criteria but had poor infonnation theoretic properties. 

It was also revealed that the properties of the inverses o 
the DES 4x4 S-boxes were as good as those of the S-boxc 
themselves. This indicates that the deaignen of DES placed v 
equal emphasis on the properties of the S-boxes and their inverses. 

In every case we found that the propenies of the completi 
6x4 S-boxes were better than any ixxflvidual 4x4 sub-box. Wc 
cofKlud«I that using rauldple sub-boxes to form a larger S-box is 
an important methtxJ that can be used to create S-boxes that have 
better properties than are possible in a single sub-box. ThU gives 
a possible explanation for why multiple sub-boxes were used to 
create the S-boxes of DES. Some of the unexplained DES design 
criteria may have been included (o ensure that the properties of 
the S-boxes created from the 4x4 S-boxes were accepuble. 

Further details of the investigations into the properties of the 
S-boxes of DES tre contained in [19] 



AppUcations of the Design Criteria 

The design criteria can be used to create larger S-boxes 
for use in new cryptosystems. As previously discussed, larger 
S-boxes have better properties and therefore properly designed 
cjyptosystems which uae larger S-boxes should be stronger than 
those which use smailer S-boxes. The desi^ criteria can also be 
used to select which S-boxes of a particular size should be used 
to create the best cryptosystems. Further details on the results of 
using the design criteria to create new and larger S-boxcs is given 
in [19, 20]. The design criteria can also be used lo strengthen 
currem cryptosystems by alk>wing the cnrrenily used S-boxes lo 
be evaluated and replaced with stronger ones if necessary. As 
an example we will discuss a possible i^oach that could be 
used to strengthen DES. Our investigations revealed thai it wu 
not posrible to find 6x4 bit S-boxes wiib substantially bcticr 
properties than those of the S-boxes of DES. We therefore suggest 
that 8x4 bit S-boxes formed from 16 4x4 bit S-boxes can be used. 
The larger S-boxes should have better propenies because more 
S-boxes are combined together. Invesdgations of some sample 
8x4 bit S-boxes revealed that they did posses beiur informaiioa 
theoretic properties than any of the DES 6x4 bit S-boxes, The 
integration of the larger S-boxes into DES is straightforward but 
will require a modified E expansion and key scheduling algorithm. 
A new E expansion is shown in Figure 5. The key scheduling 
algorithm must be modified so that there tre two 32 bit halves 
and each half is shifted by 2 bits in each round. The use of larger 
halves requires the new PC-1 and PC.2 pcrmuiaaons which arc 
slwwn in Figures 6 and 7. A discussion on the rules and methods 
used to create new expansions and permuted choices appears in 
[21]. 
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Figure 7 New PC.2 

The use of the Uxgex S-boxes md the modified key sched- 
uling algorithm increases the key size to a true 64 bits. The new 
permutations and expansions giver arc simple extensions of those 
used in DES. It should be emphasized that this is not a proposal 
for a strengthened DES but simply an illustration of an approach 
made possible by the use of our new design framework. The use 
of stronger S-boxes is seen as a key factor of any approach used 
to strengthen DES and increase its key size. The S-boxes deier- 
mine the saength of the cryptosystem and increasing the key size 
without strengthening the S-boxes is not deemed to be wise. 

Conclusions 

In this p^er we introduced the static and dynamic views 
of an S-box and used these abstractions to define the properties 
of an Ideal S-box based on informadon theoretic ideas. We then 
presented a new set of design criteria for S-boxes based on the 
properties of an Ideal S-box and illusorated how it can be used to 
strengthen DES- like crypiosystems. The new set of design criteria 
should be a valuable tool thai can be used to create S-boxes for 
crypiosystems of the future. 
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